Threat Research: Collector Stealer C2 Found Leveraging Compromised European Business Subdomains

The Collector Stealer malware, a Russian-origin credential and data theft tool active since mid-2020, seems to still have some C2 beacons that probably are part of a campaign exploiting compromised subdomains of legitimate European businesses. On this report we attempt to trace the investigation from a single Censys HTTP body hash to a detailed map of the campaign’s infrastructure, focusing on three domains:

en[.]veres-m[.hu
www[.hr.]cargo-ni.]co[.rs
rs.]familytherapycenter[.rs.]

from a single Censys hash to a full infrastructure map

1. How the hunt began

While pivoting through Censys for generic stealer control panels, the following HTTP body hash kept recurring:

ab591240acbb2c35d8ddcbfdbcf4a5191c79c9c4bc0bd52e1a2ac5052e5b12e9

Querying Censys with:

web.endpoints.http.body_hash_sha256 = "ab591240acbb2c35d8ddcbfdbcf4a5191c79c9c4bc0bd52e1a2ac5052e5b12e9"

We obtained the following:

Host	Role surfaced by Censys	Country (hosting)
en.veres‑m.hu	Hungarian game‑server provider sub‑site	US (Cloudflare)
www.hr.cargo‑ni.co.rs	“HR” subdomain of a Serbian auto‑parts seller	CZ
rs.familytherapycenter.rs	“RS” subdomain of a Belgrade physio clinic	DE

All three served exactly the same HTML: a minimal Bootstrap login headed “Collector Stealer panel [t.me/getmineteam]” with a POST target of /index.php?auth.

The rest of this post reconstructs how these benign‑looking businesses ended up fronting with a C2, what lives on each IP, and which artefacts tie everything together.

2. Anatomy of the panel

<form action="/index.php?auth" method="post">
  <input name="username">
  <input name="password" type="password">
</form>

Backend – Apache + PHP 7.4.33 on all hosts.
State – no cookies or CSRF tokens; stateless POST straight to PHP.
UX – on bad creds the panel responds “Error login or password”; nothing else.
Telegram hook – the banner references t.me/getmineteam, but the channel has been deleted.

HTML Structure:

<form action="/index.php?auth" method="post">
    <div class="form-group mt-3">
        <input type="text" class="form-control" name="username" placeholder="username">
    </div>
    <div class="form-group mt-3">
        <input type="password" class="form-control" name="password" placeholder="password">
    </div>
    <button type="submit" id="sendlogin" class="btn btn-primary mt-3">login</button>
</form>

We captured a HAR from rs.familytherapycenter.rs showing the panel returning HTTP 200 and pulling /assets/css/bootstrap.min.css v5.0.0‑beta2. /favicon.ico returns HTML—a lazy mistake that fingerprints the kit across the three hosts.

3. DNS & ASN footprint

Domain	A record(s)	ASN	Provider	Notes
en.veres‑m.hu	172.67.183.148, 104.21.51.181	AS13335	Cloudflare	CDN hides origin
www.hr.cargo‑ni.co.rs	185.102.77.47	AS198171	Webglobe (CZ)	Small VPS range
rs.familytherapycenter.rs	188.40.95.144	AS24940	Hetzner (DE)	Mass‑market VPS

Cloudflare masks the Hungarian host’s real origin, while the Czech and German VPS addresses expose normal Apache banners—useful for Shodan/Censys pivots.

Insights:

185.102.77.47 (Webglobe):
- Open ports: 80 (HTTP), 443 (HTTPS).
- Server: Apache 2.4.51, PHP 7.4.33.
- No virtual host enumeration blocked, suggesting a basic VPS setup.
- ASN Registered company https://www.webglobe.com/
- Has been in the market for 13+ years https://bgp.tools/as/198171
188.40.95.144 (Hetzner):
- Open ports: 80 (HTTP), 443 (HTTPS), 22 (SSH), 3306 (MySQL).
- Server: Apache 2.4.54, Ubuntu 20.04.
- MySQL root banner exposed, indicating potential misconfiguration.
- ASN Registered company https://hetzner.com
- Has been in the market for 20+ years, well known hosting provider https://bgp.tools/as/24940

4. Sub‑domain enumeration & surface OSINT

en.veres‑m.hu (59 sub‑domains)

en.veres‑m.hu < C2 Panel
autoconfig.veresm.en.veres‑m.hu
veresm.en.veres‑m.hu
autoconfig.stayer.en.veres‑m.hu
www.hu.en.veres‑m.hu
…[full list in appendix A]…

Parent domain – VERES‑M Kft. sells power‑tools (main site: https://]veres‑m.]hu/) and appears to have a separate game‑hosting brand under subdomain "www" (https://www.]veres‑m.hu/). Both appear to be legitimate at first glance. The English (en.) branch is the only one dropping the stealer panel—suggests a compromise of a cPanel account rather than the entire business.

After some research we found the following for the power-tools company:

*Appears to be registered on address "Address: Budapest, Cserebogár u. 43, 1141 Hungary" with Phone: +36 1 221 3007.

After looking up the address it does seem to be a legitimate business:

But what about the "www." subdomain? It appears to be a "legitimate" Tokyohost website:

What calls my attention is that there is another Tokyohost website hosted on a completely different IP "46[.]107[.]215[.]7" part of ASN 5483 Magyar Telekom plc.

The company seems legit at tokyohost.]eu but not at the veres-m domain, difficult to correlate here.

Several mentions of the recommendation for the tokyhost.[eu hosting but not the veres-m domain:

This probably suggests one thing: Probably compromised subdomains for veres-m.[hu domain hosting a phishing 1:1 copy of the tokyohost site (though I cannot confirm this 100%).

Note: I could not find the registered business number in the Hungarian business registry, but social proof appears to make it "legitimate".

cargo‑ni.co.rs (41 sub‑domains – appendix B)

Key entries:

www.hr.cargo‑ni.co.rs <- C2 Panel
whm.hr.cargo‑ni.co.rs
cpanel.hr.cargo‑ni.co.rs
mail.cargo‑ni.co.rs

Live pages intermittently 500/timeout; WHOIS still points to the original owner. Sub‑domain naming (cpanel/whm) and single VPS IP strongly suggest the attacker landed on shared hosting and spun a new vhost at www.hr.

Similar MO to the previous FQDN; I was unable to find much information on this one.

VirusTotal Findings:

No direct file associations, but the subdomain’s role as a C2 panel confirms its malicious purpose, likely focused on C2 part of a wider campaign of compromising legitimate FQDNs/cPanel to try 'blend-in'. Classic MO.

familytherapycenter.rs

(19 sub‑domains – appendix C)

rs.familytherapycenter.rs          <- C2 panel
ftcentar.familytherapycenter.rs    <- legitimate Serbian physio site
www.familytherapycenter.rs

Parent Company: Fizio Family Centar
Industry: Healthcare (physiotherapy)
Legitimacy: Confirmed legitimate Serbian business

Instagram presence confirms legitimacy: @fiziofamilycentar lists the same street address served on the website (Bulevar Vudroa Vilsona 4a, BW Metropolitan, Entrance B #802, Belgrade).

Main website is utilizing WP:

They appear to have a legitimate business, their instagram page seems legitimate (probably too much effort for a TA to create one) and they seem to have happy customers:

They are promoting their main site on their IG (as expected).

Their main site and the subdomain "rs." which is the C2 panel appears to be using the same origin IP (Hetzner). Which points to a fully compromised origin server.

Takeaways:

Fizio Family Centar is a well-established physiotherapy clinic in Belgrade, with a professional website (familytherapycenter.rs) claiming 1,723 satisfied customers and treatment for over 35 conditions.
The Instagram account (fiziofamilycentar) reinforces legitimacy, featuring posts about services and confirming the physical address at Bulevar Vudroa Vilsona 4a, BW Metropolitan, Ulaz B, #802, Beograd. A Google Maps link (familytherapycenter.rs map) further validates the location.

5. Malware lineage & VirusTotal correlations

VT Graph

Files tied to en.veres‑m.hu

vKfjAfbZ.exe - (SHA256: e9ec3e26c9055bbd0ea512a581c3cfb872819a30f6ed985cfc2841e6f204a1f9): A Collector Stealer dropper, first seen 1 month ago and matching "ET MALWARE Win32/CollectorStealer CnC Exfil M3" Proofpoint IDS rule.
dump.csv - (SHA256: 823f444e931bb4683567fc1c10a9ddf4c1d3277c83953fae5fe80162cd0f593f): A probable credential dump, first seen 2 years ago, indicating long-term data exfiltration.

Files talking to familytherapycenter.rs

(parent domain)

Fifteen binaries/archives in the last six months – EXEs, 7‑z, ISO lures named Anfrage, WhatsApp img, etc. Top hit:

Anfrage244384.7z - (SHA256 082d811bedff352838648ec48b368a8843b4c7a32ca3390fc13d16f4d504770b)
80494695.7z - (SHA256 0b6f380b9db2f8ed5113d0ee5dd3d0bee9596d7ff1a53fcb18f70768c94d0058)

Full hash list appears in Appendix D. VirusTotal collection.

6. Infrastructure story‑line

Initial Foothold: Attackers likely gained access to cPanel credentials or exploited misconfigured subdomains on shared hosting accounts of three small-to-medium enterprises (SMEs).
Virtual Host Creation: New subdomains (en., www.hr., rs.) were created or repurposed to point to attacker-controlled VPSs (Webglobe, Hetzner) or obscured via Cloudflare.
Panel deployment – single PHP kit with Telegram banner and /index.php?auth. There are other droppers potentially related to one-offs from other subdomains.
C2 Operations: Stolen credentials were likely posted to the now-defunct Telegram channel or exfiltrated to a backend C2 server. Malicious binaries (EXEs, 7ZIPs, ISOs) were distributed via off-site links, phoning back to these domains for secondary stages.
Clean Facade: The main business websites (veres-m.hu, cargo-ni.co.rs, familytherapycenter.rs) remained operational, masking the breach from owners and users. (Ransomware is clearly not their vector :))

7. Take‑aways

Compromising modest shared‑hosting accounts remains cheap and quiet C2 real‑estate.
Sub‑domain sprawl (cpanel.*, whm.*, webdisk.*) gives attackers easy camouflage—blue teams should alert on sudden new hostnames in those patterns.
Even when Cloudflare is in front, identical HTML hashes let us stitch campaigns back together quickly.

8. Indicators of Compromise and OSINT Observables

Network

en[.]veres-m[.]hu
www[.]hr[.]cargo-ni[.]co[.]rs
rs[.]familytherapycenter[.]rs

185[.]102[.]77[.]47
188[.]40[.]95[.]144 (plus any future A‑records resolving for those hostnames)

Edit: Extra C2s:

🎯 Domains:
u96221gx[.beget[.tech
ryukyu087g[.temp[.swtest[.ru
www[.a96774n3].beget[.tech

IPs ():
185.50.]25[.55 - (BEGET-AS, RU)
77[.222.40[.238 - (SWEB-AS, RU)
185.50.]25.51 - (BEGET-AS, RU)

Appendix A – full subdomain list

veres‑m.hu

(59 entries, verbatim as enumerated)

mail.en.veres-m.hu
autoconfig.veresm.en.veres-m.hu
veresm.en.veres-m.hu
autoconfig.stayer.en.veres-m.hu
www.hu.en.veres-m.hu
whm.veresm.en.veres-m.hu
webdisk.hu.en.veres-m.hu
cpcalendars.veresm.en.veres-m.hu
whm.hu.en.veres-m.hu
cpcalendars.hu.en.veres-m.hu
www.stayer.en.veres-m.hu
cpanel.veresm.en.veres-m.hu
www.en.en.veres-m.hu
autodiscover.stayer.en.veres-m.hu
cpcalendars.stayergep.en.veres-m.hu
ftp.en.veres-m.hu
cpcontacts.az.en.veres-m.hu
webdisk.en.veres-m.hu
webmail.en.veres-m.hu
www.stayergep.en.veres-m.hu
cpcontacts.stayer.en.veres-m.hu
autodiscover.stayergep.en.veres-m.hu
webdisk.veresm.en.veres-m.hu
autoconfig.en.veres-m.hu
en.en.veres-m.hu
webmail.stayergep.en.veres-m.hu
cpanel.az.en.veres-m.hu
autodiscover.en.veres-m.hu
whm.stayergep.en.veres-m.hu
www.en.veres-m.hu
webdisk.stayer.en.veres-m.hu
cpanel.stayergep.en.veres-m.hu
az.en.veres-m.hu
stayergep.en.veres-m.hu
cpcontacts.stayergep.en.veres-m.hu
localhost.en.veres-m.hu
cpcalendars.en.veres-m.hu
autodiscover.veresm.en.veres-m.hu
www.az.en.veres-m.hu
whm.az.en.veres-m.hu
cpcalendars.az.en.veres-m.hu
whm.stayer.en.veres-m.hu
cpcontacts.hu.en.veres-m.hu
whm.en.veres-m.hu
stayer.en.veres-m.hu
webmail.veresm.en.veres-m.hu
webmail.hu.en.veres-m.hu
cpanel.stayer.en.veres-m.hu
webdisk.stayergep.en.veres-m.hu
cpcontacts.veresm.en.veres-m.hu
autoconfig.stayergep.en.veres-m.hu
cpanel.en.veres-m.hu
cpanel.hu.en.veres-m.hu
cpcontacts.en.veres-m.hu
hu.en.veres-m.hu
webmail.stayer.en.veres-m.hu
cpcalendars.stayer.en.veres-m.hu
webdisk.az.en.veres-m.hu

Appendix B – full subdomain list

cargo‑ni.co.rs

(41 entries)

en.cargo-ni.co.rs
whm.en.cargo-ni.co.rs
cpcalendars.cargo-ni.co.rs
webdisk.rs.cargo-ni.co.rs
whm.hr.cargo-ni.co.rs
cpcalendars.en.cargo-ni.co.rs
cpcontacts.cargo-ni.co.rs
www.hr.cargo-ni.co.rs
www.rs.cargo-ni.co.rs
webdisk.cargo-ni.co.rs
www.cargo-ni.co.rs
cpcalendars.rs.cargo-ni.co.rs
cpanel.rs.cargo-ni.co.rs
whm.rs.cargo-ni.co.rs
webmail.en.cargo-ni.co.rs
ftp.cargo-ni.co.rs
www.vu.cargo-ni.co.rs
whm.cargo-ni.co.rs
si.cargo-ni.co.rs
webmail.rs.cargo-ni.co.rs
webmail.cargo-ni.co.rs
webdisk.hr.cargo-ni.co.rs
cpcontacts.hr.cargo-ni.co.rs
cpcalendars.hr.cargo-ni.co.rs
webdisk.vu.cargo-ni.co.rs
cpanel.en.cargo-ni.co.rs
rs.cargo-ni.co.rs
cpcontacts.en.cargo-ni.co.rs
webdisk.en.cargo-ni.co.rs
cpanel.cargo-ni.co.rs
webmail.hr.cargo-ni.co.rs
www.en.cargo-ni.co.rs
hr.cargo-ni.co.rs
webmail.vu.cargo-ni.co.rs
www.si.cargo-ni.co.rs
cpanel.vu.cargo-ni.co.rs
mail.cargo-ni.co.rs
cpanel.hr.cargo-ni.co.rs
vu.cargo-ni.co.rs
cpcontacts.rs.cargo-ni.co.rs

Appendix C – full subdomain list

familytherapycenter.rs

(19 entries)

test.familytherapycenter.rs
webdisk.familytherapycenter.rs
ftcentar.familytherapycenter.rs
cpcontacts.familytherapycenter.rs
www.en.familytherapycenter.rs
cpcalendars.en.familytherapycenter.rs
webmail.familytherapycenter.rs
whm.familytherapycenter.rs
autodiscover.en.familytherapycenter.rs
ftp.familytherapycenter.rs
www.test.familytherapycenter.rs
www.rs.familytherapycenter.rs
mail.familytherapycenter.rs
www.familytherapycenter.rs
www.ftcentar.familytherapycenter.rs
rs.familytherapycenter.rs
cpcalendars.familytherapycenter.rs
cpanel.familytherapycenter.rs
en.familytherapycenter.rs

Appendix D – 50 file hashes (Collector Stealer artefacts)

01e5ae6767bfe674c96dbfa1ff3abc4aeb96ca0f94ece21c3fbf24570c7313ac
082d811bedff352838648ec48b368a8843b4c7a32ca3390fc13d16f4d504770b
0a4d7e4860afac36c43f2e5272678b7e267b46618ab46a596dd28dbc4c5915e3
0b6f380b9db2f8ed5113d0ee5dd3d0bee9596d7ff1a53fcb18f70768c94d0058
0f5ab35becd8907fbb101b90d4b4b61f0eb9454be5d33f321e457a44b7eefe95
1061ee3b756a0b0a3767a08450fe04b5538277655d294338dbf5885244e01986
1f08626367e98a85b6cbdd582c390e30e3652cca986469dcb23281b17d612df0
22aa981f10e839fbf2c5c3a8f3de7caa2f9c3add7af4750420fd2b1a05be1709
24d6742653761510338bb242f67a627d03a7ccf98f0ab8d21292034f9bb3bd34
27f38ed5ad9ce11fe77ec68fe03bda6c86c459c41bca13ea6c6dda913d514155
303416fbf169aab34ebabda4845eb0a4bab2b4036775bd393c5d99c5d12a6237
39def4158d0eba6675c2dbc71a1b82dddb7faf401101b0b91ac17e3a37b0b2d8
444fbeafaf59c2b4ff0ad4569d358d9df7c77dca86ab24be3273517a7b5501ef
44cd10bd9b24a6387bad3963a5cbf28f873b57d579df69dcd1bf421ceacf53fe
452acbf807a408b767ad4318d01e17053499521dc201aa502e47950726872c83
45ca0116808ce0b13a4e212c742ab2cd2b169a5cbfa841c8826636a6f5a76009
48e537902c03a3eee4790fc97ee072cddc7c1a90122702dd18243d8c12a0d99a
4acd4f37f925f2251c0e73a4c7c0e308cc65a7619f2cc483e728b48e616e45e9
5685c651cfc1ae3921bded7c6062bffcb74b3be0ebb34d502b4c5cd2d3908592
5a23c2b6db6ec6993f56e635a2958ed21bbf94c6920f2329fdcd9a8641ff9b6a
68a5e9049c5d3b20d6a31a20aa90c751c46c013bbcd4f990f1c73dc99a36e333
6c1b1e6b7a1f5a9499a3f7c66939b933d89efd7bff818255f57cd182c7474650
73636346b3a3f39cbfbc5b39b4a0407dd86916a1ca801309ff0b4e6fe689b052
7dfd9f131494d23952f4428b9a6d20f358910796729c7ac4815f76a14b3c643e
80b8c2c9305cab9a5a83d0fe9d17190428123a835ada9a99722fb12f9e8aa2ed
823f444e931bb4683567fc1c10a9ddf4c1d3277c83953fae5fe80162cd0f593f
8b064ebb257b55ee09b619b791475058b4d9d2b90907ec727e70235e5b25b730
94ee11faf70e1af81b476add9539340d0b4c275ed51c833e02d68778b64b7d8a
97da3c982874ec87dcba39e8ae9e8c8df8acd4e06f360a8a4179b82fa0014346
9e094e1dea51468a4e21b473ff31f909a195028ff00c401f6d691ff62d7f2cbd
a48c02fd36302685b5fbb3691db0fb2c4aca77c0b3b1df9aa7ec6f154affa0a8
aa5d69ac7c97b3a5d59a4a0d8fbb1677ffd50f5876468cda7cbf68dce7b31bd8
ad492772cd5f3727eada558bb7b8b7b9b03f438438232807fe0b8165222aa89a
b318d7309bbb34b5b91fd87aacf119efe39c3fc9cd6a825cfd9d242e9b6b5ef9
bb224a8ede01d1b9d63c1a09962c078bb73e2bb63a29b077039a9c47df3061c5
c36bf18e47dc55134e67b0901ed7abf3d6fcef180e15155e03d8523e50e47a37
c45b22373da0e9525ad971f2fed4f0364222a10f189328412d1ad49a4f3bc0ca
d1614ad99aded9f6f5c1be7fe7ffa5124bd04a526580da3818ea8a954e852aa6
dbd4da5c1826b1fbc6931ad710004c86acb6bf0f34311d6c75e763a18b03ec93
dfbde381fde1a284c81a72d06a1a43faf49cd1c085c87234e34e50b881567806
e11eb59cf535da90ef6617ac9256138659a8420b47afbe8749a8076fbdcd29bc
e44b43398f0ce6c184702b65d99f7b1dbc08c03ae4dbd7b34fc247f2f7abfe9f
e81a266ca8fee88c3eee94cea7494225e905354c9e31635683467fbfe7844d91
e9ec3e26c9055bbd0ea512a581c3cfb872819a30f6ed985cfc2841e6f204a1f9
eced02a891c2266b7e5db0ddc1f311b59db62085e84a888c6e1bd6ce8589e773
eda014e3b658bfbbfd141c1459a3414d9ee8b7c139a3976fe732141fa9cf3f80
f210aa17d0d7c363331d2adf9c161c8fe97e52ba1d8bb127a70f94030fc00c7b
f737e4ccfd3925520e26b02ded1ee52585f50c47b49ac982569dabf1d0daf439
fabdde579b133e129408ab4ecf04fad0a9807fe70bf61383f236dcb7674999e0
ffa4d3a32b1691ae6b6529e4bf1630e56c37d715673b0b148e26b562acbb6a1a

VirusTotal Collection: Link

Defender Checklist

Block IPs (185.102.77.47, 188.40.95.144) and domains (en.veres-m.hu, www.hr.cargo-ni.co.rs, rs.familytherapycenter.rs) in DNS/web proxies.

Additional Steps:

Patch Vulnerabilities: Update PHP 7.4.33 (EOL) and secure Apache/cPanel configurations.
User Training: Educate users to avoid entering credentials on suspicious login pages, especially those mimicking trusted businesses.

Conclusion

The Collector Stealer campaign is a masterclass in blending technical exploitation, even though this is a common MO. From a single Censys hash, some Shodan pivoting and some OSINT, we uncovered a three-domain cluster exploiting legitimate Hungarian and Serbian businesses to host C2 panels, distribute malware and be the C2 for data exfill.

Defenders must act: block the IOCs, and secure shared hosting environments. As the adversaries adapt—likely resurfacing on new Telegram channels or domains (usually both)—research will is critical. This report provides the blueprint to disrupt similar campaigns and prepare for its next iteration.